Merge pull request #1082 from Aniak5/issue-834

Add JA4+ Network Traffic Fingerprints
ocsf · May 17, 2024 · fea283d · fea283d
2 parents 58d418f + 6c00052
commit fea283d
Show file tree

Hide file tree

Showing 5 changed files with 115 additions and 4 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -47,7 +47,9 @@ Thankyou! -->
     2. Added `Remediation Activity` `File Remediation Activity` `Process Remediation Activity` `Network Remediation Activity` event classes. #1066
 * #### Profiles
 * #### Objects
-    1. Added `d3fend` `d3f_tactic` `d3f_technique` MITRE objects. #1066
+    1. Added `d3fend` `d3f_tactic` `d3f_technique` MITRE objects. #1066 
+    2. Added `ja4_fingerprint` object. #834
+    3. Added `ja4_fingerprint_list` as a list of `ja4_fingerprint` objects.  #834
 * #### Platform Extensions
 
 ### Improved
@@ -56,10 +58,11 @@ Thankyou! -->
     1. Added `file_result` to File Hosting Activity. #1045
     2. Added entries to `injection_type_id` enum (`Process Activity`) and `activity_id` enum (`Memory Activity`). #1060
     3. Added a `Restart`, `Enable`, `Disable`, and `Update` `activity_id` to the `Application Lifecycle` class. #1064
+    4. Added `ja4_fingerprint_list` to base network event class. #834 
 * #### Profiles
 * #### Objects
-    1.  Added `ext` to `File` object. #1046
-    2. Added account, device, email, url, user to evidences in detection finding. #1000
+    1. Added `ext` to `File` object. #1046
+    2. Added `account`, `device`, `email`, `url`, `user` to `evidences` in detection finding. #1000
     3. Added `state_id`, `state` to `Digital Signature` object. #1069
 * #### Platform Extensions
 

diff --git a/dictionary.json b/dictionary.json
@@ -936,7 +936,7 @@
     },
     "component": {
       "caption": "Component",
-      "description": "<p>The name or relative pathname of a sub-component of the data object, if applicable. </p>For example: <code>attachment.doc</code>, <code>attachment.zip/bad.doc</code>, or <code>part.mime/part.cab/part.uue/part.doc</code>.",
+      "description": "The component of a data object. See specific usage.",
       "type": "string_t"
     },
     "condition": {
@@ -2237,6 +2237,12 @@
       "description": "The MD5 hash of a JA3S string.",
       "type": "fingerprint"
     },
+    "ja4_fingerprint_list": {
+      "caption": "JA4+ Fingerprints",
+      "description": "A list of the JA4+ network fingerprints.",
+      "type": "ja4_fingerprint",
+      "is_array": true
+    },
     "job": {
       "caption": "Job",
       "description": "The job object that pertains to the event.",
@@ -3577,6 +3583,26 @@
         }
       }
     },
+    "section_a": {
+      "caption": "JA4 Section A",
+      "description": "The 'a' section of the JA4 fingerprint.",
+      "type": "string_t"
+    },
+    "section_b": {
+      "caption": "JA4 Section B",
+      "description": "The 'b' section of the JA4 fingerprint.",
+      "type": "string_t"
+    },
+    "section_c": {
+      "caption": "JA4 Section C",
+      "description": "The 'c' section of the JA4 fingerprint.",
+      "type": "string_t"
+    },
+    "section_d": {
+      "caption": "JA4 Section D",
+      "description": "The 'd' section of the JA4 fingerprint.",
+      "type": "string_t"
+    },
     "secure": {
       "caption": "Secure",
       "description": "The cookie attribute to only send cookies to the server with an encrypted request over the HTTPS protocol.",

diff --git a/events/network/network.json b/events/network/network.json
@@ -30,6 +30,10 @@
       "group": "primary",
       "requirement": "required"
     },
+    "ja4_fingerprint_list": {
+      "group": "context",
+      "requirement": "optional"
+    },
     "proxy": {
       "group": "primary",
       "requirement": "recommended"

diff --git a/events/system/filesystem.json b/events/system/filesystem.json
@@ -74,6 +74,7 @@
       "requirement": "required"
     },
     "component": {
+      "description": "<p>The name or relative pathname of a sub-component of the data object, if applicable. </p>For example: <code>attachment.doc</code>, <code>attachment.zip/bad.doc</code>, or <code>part.mime/part.cab/part.uue/part.doc</code>.",
       "group": "primary",
       "requirement": "recommended"
     },

diff --git a/objects/ja4_fingerprint.json b/objects/ja4_fingerprint.json
@@ -0,0 +1,77 @@
+{
+  "caption": "JA4+ Fingerprint",
+  "description": "The JA4+ fingerprint object provides detailed fingerprint information about various aspects of network traffic which is both machine and human readable.",
+  "extends": "object",
+  "name": "ja4_fingerprint",
+  "attributes": {
+    "section_a": {
+      "requirement": "optional"
+    },
+    "section_b": {
+      "requirement": "optional"
+    },
+    "section_c": {
+      "requirement": "optional"
+    },
+    "section_d": {
+      "requirement": "optional"
+    },
+    "type": {
+      "description": "The JA4+ fingerprint type as defined by <a href='https://blog.foxio.io/ja4+-network-fingerprinting target='_blank'>FoxIO</a>, normalized to the caption of 'type_id'. In the case of 'Other', it is defined by the event source.",
+      "requirement": "optional"
+    },
+    "type_id": {
+      "description": "The identifier of the JA4+ fingerprint type.",
+      "enum": {
+        "0": {
+          "caption": "Unknown"
+        },
+        "1": {
+          "caption": "JA4",
+          "description": "TLS Client Fingerprint."
+        },
+        "2": {
+          "caption": "JA4Server",
+          "description": "TLS Server Response/Session Fingerprint."
+        },
+        "3": {
+          "caption": "JA4HTTP",
+          "description": "HTTP Client Fingerprint."
+        },
+        "4": {
+          "caption": "JA4Latency",
+          "description": "Latency Measurement/Light Distance Fingerprint."
+        },
+        "5": {
+          "caption": "JA4X509",
+          "description": "X509 TLS Certificate Fingerprint."
+        },
+        "6": {
+          "caption": "JA4SSH",
+          "description": "SSH Traffic Fingerprint."
+        },
+        "7": {
+          "caption": "JA4TCP",
+          "description": "Passive TCP Client Fingerprint."
+        },
+        "8": {
+          "caption": "JA4TCPServer",
+          "description": "Passive TCP Server Fingerprint."
+        },
+        "9": {
+          "caption": "JA4TCPScan",
+          "description": "Active TCP Server Fingerprint."
+        },
+        "99": {
+          "caption": "Other"
+        }
+      },
+      "requirement": "required"
+    },
+    "value": {
+      "description": "The JA4+ fingerprint value.",
+      "requirement": "required",
+      "type": "string_t"
+    }
+  }
+}